Asking the right questions is an essential part of any audit, particularly an audit or review of your own MVS/RACF installation or a peer review of another
installation. In such a review or audit, your principal review objectives are:
1. To judge the effectiveness of the RACF implementation from a security viewpoint
2. To identify any security exposures
3. To recommend ways to improve the system
Chapter 1. The RACF Auditor
1-21
To accomplish these objectives, you need to quickly understand the significant features of the installation under review. It is generally useful to interview as few people as possible and to include a senior member of the system support group in the people you interview. If you ask the right questions of the right people, you will often find that the person you are talking with can both supply the information you need and identify any security exposures ..
One way to deal with the mass of information available or required for an audit is to divide it into categories: preliminary information, MVS information, and RACF information. The balance of this chapter uses these categories as a structure for identifying blocks of information you need or questions you might ask. You will probably find that not all of the suggestions apply at anyone installation, and that a particular installation requires additional investigation. Thus, it is a good idea to treat these suggestions as a starting point, then tailor and expand your audit to fit the conditions that exist.
When you are conducting an audit, you should have current installation reports from the data security monitor (OSMON) .. These reports are helpful in answering a number of your questions. You can also use the OSMON reports to verify that the actual status of various security mechanisms is what you and the installation expect.
Preliminary Information
An
*
before a question indicates you can answer all or part of the question by using the OSMON reports.1.
*
List the processor complexes and their associated system control programs (SCPs), as well as the release and level of RACF fpr each. .2. For each processor complex, list the subsystems, such as TSO, IMS, CICS and any other subsystems protected by RACF (including the release and level of each).
3. Are processor complexes linked (for example, by NJE, JES2, or JES3)?
4. Is OASO shared between systems? What type of data is shared?
5. 00 you have dial-up lines?
6. Explain briefly the classification system.
7. What is the highest classification of data processed and/or transmitted?
MVS Implementation/Integrity
An operating system should have integrity; that is, it should prevent one program from interfering with or modifying the execution of another system or user program unless the interference is authorized. To increase your awareness of potential security problems, see MVS Security, GC28-1400. It provides overview information about the MVS products and features that promote security.
Basic MVS System
MVS Authorization
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1.
*
What is the MVS version and release level and PTF level (PUT tape)?2. How many local modifications have been applied (excluding exit routines)?
3. What are the main areas and/or functions modified?
4. What user SVCs does the system include and what is their purpose?
5. What exit routines are in the system and what is their purpose? Could these exit routines affect RACF protection? (Do not list RACF exit routines here.) Some examples of subsystems or components that can have exit routines are:
SMF TSO JES
Job management
6. Are the MVS systems the same on all processor complexes?
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1.
*
What are the entries in the program properties table (PPT) that automatically bypass password protection?2. What are the authorized libraries?
*
In SYSl.PARMLIB (IEAAPFxx)?*
In SYS 1.P ARMLIB (LNKLSTxx)?In SYS1.PARMLIB (IEALPAxx)?
3. What programs that require authorization, other than standard IBM programs, are in these libraries?
4. What are the commands and programs that can be executed APF-authorized in the foreground (CSECTs IKJEFTE2 and IKJEFTE8 in module IKJEFT03)?
5.
*
Is the list of authorized programs and commands reasonable and consistent with the installation's security goals?6. How are changes and additions to the authorized libraries controlled? Who authorizes changes?
Chapter 1. The RACF Auditor
1-23
MVS System Protection
Miscellaneous
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1. How are changes to the MVS system controlled and documented?
2. How are the system libraries (including page data sets, dump data sets, JES spool and checkpoint data sets, and SMP data sets) protected? Who can access these libraries?
3.
*
What libraries have a universal access of READ?4.
*
What libraries have a universal access of UPDATE or higher?5. Are the DLIB data sets also protected?
6.
*
Are all the catalogs (VSAM and CVOL) protected?7.
*
Are key security items, (such as RACF data sets, SYS1.UADS, password data set, cipher key file, SMF data sets, source and load modules for RACF exit routines, and SMF routines) all identified and protected?8. If JES3 is installed, is use of DSP controlled (including utilities such as tape to tape and tape to print)?
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1. Can bypass label processing (BLP) be used? If yes, how is it controlled?
2. Is OS password protection used? If yes, why?
3. If dial up terminals are used, how is unauthorized use prevented?
4. Is full SMF recording in use? If not, what is excluded either by options or exit routine code?
5. What is the wait limit that causes a terminal to be logged off?
6. How far back do system backup dumps go?
7. Are all IPLs logged and the reasons reported?
8. Is all time on the system accounted for?
9.
*
Is it possible to detect if the system has been loaded without RACF?10. How is the use of TSO commands (such as RVARY) controlled?
RACF Implementation
Protection Plan
Usage
Installing RACF does not necessarily mean that the RACF security facilities were correctly implemented and are being correctly maintained. (For more information about implementing RACF, see the RACF Security Administrator's Guide.)
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1.
*
How many RACF users and groups do you have?2. Do you have any non-RACF users? If so, why?
3. Which of the following resources are RACF-protected, what proportion of each is protected, and how is it decided which to protect?
DASD data sets Tapes
Terminals IMS CICS
Key resources unique to the installation
4. How does the installation ensure that appropriate protection is maintained?
Does it, for example, use ADSP, end user decision, or installation procedures?
5. What protection is available for resources NOT protected by RACF?
6. Is the protection policy reasonable?
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1.
*
Which userids (including started tasks) have any of the following privileged attributes or authorities? Why?SPECIAL and group-SPECIAL
OPERATIONS and group-OPERATIONS AUDITOR and group-AUDITOR
CLAUTH JOIN CONNECT GRPACC
2. How is the granting of these privileges controlled?
3. Is DASDVOL authorization used instead of the OPERATIONS user attribute?
4. Are use rids shared? If so, why, and how is accountability maintained?
Chapter 1. The RACF Auditor
1-25
Technical
5. Is the default for UACC always NONE? If not, why?
6. How are' password qualities complied with? Do you use, for example, password length, nature (alphabetic, alphanumeric, no vowels), repetition, or change frequency?
7. What RACF information, such as the following, is logged to SMF?
Command violations Changes to profiles
Accesses to specific resources
Actions of SPECIAL and group-SPECIAL users
Actions of OPERATIONS and group-OPERATIONS users
8. Who decides what resource access information is to be collected? On what criteria?
9. What RACF statistics are collected?
10. What are the access rules when RACF is inactive or unavailable, such as stop production, perform repair work only, or allow selected jobs/applications to run?
11. Is WARNING mode active, entirely or partially? Are there non-WARNING mode resources?
12. Do access lists contain groups rather than individuals?
13. How is the authority to run production work handled? Does the job submitter have access to production data?
14. Do you need to delete tape profiles before using them again? If so, how are the profiles deleted?
15. How is RACF protection handled in disaster recovery plans?
16. Describe any operational/usage problems for which the installation cannot currently determine a solution.
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1.
*
What RACF exit routines are used, and what functions do they perform?The following list identifies the exits.
ICHDEXOI (password encryption) ICHRIXOI (RACINIT pre) ICHRIX02 (RACINIT post) ICHRCXOI (RACHECK pre) ICHRCX02 (RACHECK post) ICHRDXOI (RACDEF pre)
Administration Control
ICHCCXOO(command pre) I CH CNXOO (command pre) ICHRFXOI (FRACHECK pre) ICHRFX02 (FRACHECK post) ICHPWXOI (new password) ICHRLXOI (RACLIST pre/post) ICHRLX02 (RACLIST selection) ICHRSMFE (report writer)
2. How are the exit routine functions and changes authorized and controlled?
3. Who is allowed to update exit routine code (both source and load form)?
4. What SETROPTS options are used? Are any important protection and/or monitoring functions set off?
5. Have basic RACF facilities been enhanced, excluding exit routine code?
6.
*
How many primary RACF data sets are there?7.
*
Does each primary data set have a backup on a different volume?8. What other backup facilities exist for RACF data sets?
9. How is the RACF data set synchronized after a restore?
10.
*
Are all RACF data sets adequately protected, and who has access to them?11. How does the installation control the switching and deactivating of the RACF data sets (RVARY command, IPL/data set name table)?
12. What is in the started task table (ICHRIN03), and is the authority of the associated userids appropriate?
13. Are any special checks required on the use of PERMIT?
14. How are passwords protected against disclosure when batch jobs are submitted through internal readers?
15. How are restores of entire volumes handled? How are synchronization problems between volumes and RACF data sets resolved?
An
*
before a question indicates you can answer all or part of the question by using the DSMON reports.1. Who is responsible for the administration of RACF?
2. Who is responsible for the technical aspects of RACF?
3. Are data owners identified?
4. Do data owners classify their data?
Chapter 1. The RACF Auditor
1-27
Management Control
5. Is the degree of protection provided by the installation based on the owner classification?
6. Are there written and approved procedures for RACF administration?
7. Does the installation maintain written records of requests for changes to RACF protection and the resulting actions taken?
8. How are users and groups administered? How are additions, deletions, changes, connections, and authorities handled?
9. How is the authority to protect resources and grant access checked and handled?
10. How is the granting of temporary authorities handled? Can users issue PERMIT /CONNECT for temporary access, or are there privileged attributes available for emergency use?
11. How is password distribution handled?
12. How are lost passwords handled?
13. Is additional verification required for users with privileged attributes? Are these users restricted to particular terminals?
14.
*
Is there an emergency userid with the SPECIAL attribute available for use when no other SPECIAL userid can be used? If so, how does the installation protect the userid and its password?15.
*
Is the auditor a different person from the RACF security administrator?What are the responsibilities of the auditor?
16. Is there any user education available?
1. What reports are available to users, owners, and installation management to ensure that the system is not being misused? E)Camples are reports that
identify violation attempts, unauthorized access attempts, and unauthorized use of commands and privileges.
2. How frequently are reports produced, and who sees them?
3. If a security violation occurs, what follow-up action does the installation take?
4. Is the installation using DSMON reports to monitor the basic system security environment? If not, why isn't it?
Chapter 2. The RACF Report Writer
A successful security mechanism requires that appropriate personnel, particularly the auditor and the security administrator, can assess the implementation of the security mechanism and the use of the resources it protects. The RACF report writer provides a wide range of reports that enable you to monitor and verify the use of the system and resources.
The RACF report writer lists the contents of RACF SMF records in a format that is easy to read. The RACF report writer can also generate reports based on the information in the SMF records . .with the RACF report writer, you can obtain:
Reports that describe attempts to access a particular RACF~protected resource in terms of user identity, number and type of successful accesses, and number and type of attempted security violations.
Reports that describe user and group activity.
Reports that summarize system use and resource use.